Self Assessment

CYFIRMA INDUSTRY REPORT : LOGISTICS

Published On : 2024-06-04
Share :
CYFIRMA INDUSTRY REPORT : LOGISTICS

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the logistics industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the logistics industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries, as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Logistics organizations featured in 2 out of the 7 observed campaigns, which is a presence in 28% of campaigns.

OBSERVED CAMPAIGNS PER MONTH

We are currently observing a low detections period with two campaigns observed in March and April, followed by no detections in May.

SUSPECTED THREAT ACTORS

We observed a mix of suspected threat actors. One campaign showed overlapping TTPs between the Chinese Mustang Panda and MISSION2025. The second campaign is attributed to and Lazarus Group from DPKR.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 13 different countries. Thailand recoded victims in both the observed campaigns.

TOP ATTACKED TECHNOLOGY

Web applications continue to rank as the most targeted technology across industries. Additionally, compromises were observed in operating systems and IaaS solutions.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

In the past 90 days, logistics organizations have been moderately impacted by advanced persistent threat (APT) campaigns. Notably, 28% of the observed APT campaigns targeted the logistics sector, with 2 out of 7 total campaigns affecting this industry.

Monthly Trends
We are currently observing a generally low detection period. However, monthly activity shows low but sustained APT activity.

Key Threat Actors
The active threat actors identified were the Lazarus Group from North Korea and the Chinese APT Mustang Panda with MISSION2025. Their respective motivation is split between nation-state objectives (CN) and financial gains (DPKR).

Geographical Impact
The campaigns impacted a total of 13 countries, with Thailand being hit by both. This geographical spread correlates with the broad strategic interests of involved nation-states sponsoring these threat actors.

Targeted Technologies
Web applications remain the most targeted technology and was attacked by both the campaigns. Additionally, operating systems and IaaS solutions were also compromised.

PHISHING ATTACKS IN THE LOGISTICS INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 10,293 phishing campaigns themed around logistics out of a total of 314,045.

The chart below illustrates the global distribution of observed themes. Logistics & Couriers and Transportation account for 3.28% of all captured phishing attempts.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

While the United States Postal Service (USPS) faced a high-volume impersonation campaign in the past 90 days, the remaining observed brands show high geographical diversity. Also, both national postal and transportation services as well as international logistics companies are present.

TOP COUNTRIES OF ORIGIN (ASN)

The geographical sources of observed phishing campaigns closely correlate with the impersonated brands. Additionally, the United States serves as a significant source for many international campaigns, owing to the large number of compromised devices utilized in botnets, which are then used to distribute phishing attacks.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The logistics sector remains a popular phishing theme due to the direct monetization avenue for threat actors. Despite decreasing overall share, the total number of captured samples continue to mildly grow every 90 days.

The United States Postal Service (USPS) stands out as the most impersonated brand, indicating a large U.S. phishing campaign in the last 90 days. Following this, DHL (Germany), SBB (Vietnam), and Linkt(Australia) are also significantly targeted.

Overall, the list includes 38 organizations from 50 countries, such as Japan Post Service (Japan), SwissPass (Switzerland), and SaudiPost (Saudi Arabia), underscoring the worldwide nature of these threats.

ASN-origin data reveals that the United States is the leading source of phishing emails impersonating financial organizations, reflecting the extensive financial sector in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in Germany, Canada, and the Netherlands for similar reasons. Furthermore Hong Kong is often used by Chinese cybercriminals as a proxy. Southeast Asia and Latin America are steadily growing as sources and targets of global logistics-themed phishing.

The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Kyrgyzstan or Gabon show expanding attacker reach.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 58 verified ransomware victims in the logistics industry. This accounts for 4.9% of the overall total of 1,191 ransomware victims during the same period.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER LOGISTICS INDUSTRY SECTORS

Freight transportation and forwarding and Logistics solutions are the most frequent victims of ransomware in the logistics industry.

INDUSTRY MONTHLY ACTIVITY CHART

Considering just a single day included for February, we can see a remarkably consistent number of victims during March, April and May.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, LockBit3 came back in May and Hunters, Ra Group and Inc Ransom reported many victims in March.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 26 out of 54 active groups recorded logistics organizations victims in the past 90 days. Notable is a high distribution among large number of groups in this period.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the logistics industry to all recorded victims, none of the gangs particularly stand out with a high percentage of victims in this industry. The highest is Dragonforce with 4 out of 30 (13.3%) and Cactus with 4 out of 48 (12%).

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 18 countries recorded ransomware victims with the US alone accounting for ~38% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The logistics industry placed with 8th most victims. It faces a sustained ransomware threat, with attacks affecting a wide range of sub-sectors and a broad geographic distribution. The steady monthly activity, coupled with the involvement of numerous ransomware groups, highlight the ongoing risk.

Monthly Activity Trends
Ransomware activity in the logistics industry has shown remarkably consistent numbers of victims each month.

Hunters, Ra Group and Inc Ransom gangs recorded most of their victims in March, whereas, the return of LockBit3 propped victim numbers in May.

Ransomware Gangs
A total of 26 out of 54 active ransomware groups targeted the logistics industry in the past 90 days:

Dragonforce: 13.3% of their victims were from the logistics industry (4 out of 30 victims).

Cactus: 12% of their victims were from the logistics industry (4 out of 48 victims).

The high distribution among many groups indicates no single gang currently dominates the ransomware landscape in the logistics sector.

Geographic Distribution
The geographic distribution of ransomware victims in the logistics industry reflects industry’s global nature and the widespread reach of these attacks:

38% of all victims with identified geography are located in the US.

In total, 18 countries recorded ransomware victims in the logistics industry.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the past 90 days, logistics organizations have faced medium risk across monitored categories.

APT campaigns have moderately impacted the logistics sector, with 28% of the observed campaigns targeting this industry. Observed threat actors are the Lazarus Group (North Korea) and the Chinese APT Mustang Panda with MISSION2025, driven by nation-state and financial motivations respectively. Geographically, the campaigns affected 13 countries, with Thailand being impacted by both the groups. Key technologies targeted include web applications, operating systems, and IaaS solutions. Despite low overall detection periods, there is sustained monthly APT activity.

Phishing remains a prevalent impersonation threat, leveraging the logistics theme for direct monetization. The total number of phishing samples has seen mild growth, with the United States Postal Service (USPS) being the most impersonated brand. Other significant targets include DHL (Germany), SBB (Vietnam), and Linkt (Australia). Phishing activity is globally pervasive, with notable origins in the United States, Germany, Canada, and the Netherlands. Chinese cybercriminals frequently use Hong Kong as a proxy, and there is growing activity in Southeast Asia and Latin America. The presence in both the developed and developing nations highlights the opportunistic and widespread nature of phishing attacks.

Ransomware attacks remain a significant risk. The logistics industry is the 8th most targeted sector for ransomware attacks, with remarkably consistent monthly activity. Significant ransomware groups include Dragonforce, Cactus, and returning LockBit3. Out of 54 active ransomware groups, 26 targeted the logistics sector, affecting 18 countries, with 38% of victims located in the US. This broad geographic distribution underscores the global nature and persistent risk of ransomware in the logistics industry.